SRX

Hello guys,

1. i would like to know how to make ftp active and passive work with using FTP ALG. what I've configured so far is the following config with policy, but i cant established connection. If I disabled FTP ALG, then ftp active works, but not passive. what am I doing wrong. I have looked at several forums for the same solution but it doesn't seem to work for me.

tried option1:

FTP ALG:

ftp disabled ftps-extension

policy:

policy DATAHUB_TEST {
match {
source-address SRV-DATAHUB-TEST;
destination-address NET_TEST;
application [junos-ftp PASSIVE_FTP_PORTS];
}
then {
permit;

PASV ports:

application PASSIVE_FTP_PORTS {
protocol tcp;
destination-port 1024-65535;

2. I have also tried to do with a ftp-ALGignore and apply it on the policy. when i commit the policy you see that ftp active connection is established only because of  PASSIVE_FTP_PORTS. But when i delete PASSIVE_FTP_PORTS from application then ftp active does not work anymore. I Think, by using this methode i am making a pinholes to permit data channel connections to be established. this means i am opening a gate from outsde?.

tried iption2:

FTP ALG:

ftp ftps-extension

policy:

policy DATAHUB_TEST {
match {
source-address SRV-DATAHUB-TEST;
destination-address NET_TEST;
application [ftp-ALGignore PASSIVE_FTP_PORTS];
}
then {
permit;

PASV ports:

application PASSIVE_FTP_PORTS {
protocol tcp;
destination-port 1024-65535;

FTP ALG ignore:

set applications application ftp-ALGignore application-protocol ignore protocol tcp destination-port 21

thnx

With the ftp alg turned on try this policy.

Assuming the ftp client is SRV-DATAHUB-TEST and the ftp file server is NET_TEST

policy DATAHUB_TEST {
match {
source-address SRV-DATAHUB-TEST;
destination-address NET_TEST;
application [junos-ftp];
}
then {
permit;

Hello,

Thank you, ftp active/passive is working now. How do i also make ftp work through vpn and source-NAT towards remote sites.

ALG:

ftp ftps-extension enabled

IPSEC:
security {
ike {
proposal cust-vpn3 {
authentication-method pre-shared-keys;
dh-group group14;
authentication-algorithm sha-256;
encryption-algorithm aes-256-cbc;
lifetime-seconds 3600;
}
policy cust-vpn3 {
mode main;
proposals cust-vpn3;
pre-shared-key ascii-text "$9$qQgoGf5z9Aaatp"; ## SECRET-DATA
}
gateway cust-vpn3 {
ike-policy cust-vpn3;
address 89.234.187.21;
dead-peer-detection {
interval 10;
threshold 5;
}
local-identity inet 5.100.21.88;
remote-identity inet 89.234.187.21;
external-interface reth0.100;
}
}
}
ipsec {
proposal cust-vpn3 {
protocol esp;
authentication-algorithm hmac-sha-256-128;
encryption-algorithm aes-256-cbc;
lifetime-seconds 3600;
}
policy cust-vpn3 {
perfect-forward-secrecy {
keys group14;
}
proposals cust-vpn3;
}
vpn cust-vpn3 {
bind-interface st0.10;
ike {
gateway cust-vpn3;
ipsec-policy cust-vpn3;
}
traffic-selector NET-PROD-CUST {
local-ip 172.39.31.39/32;  (NAT IP)
remote-ip 172.16.4.0/25;
}
establish-tunnels immediately;
}
}

NAT:

nat {
source {
pool vpn-cust-pool {
address {
172.39.31.39/32;
}
}
rule-set vpn-cust-nat {
from zone application;
to zone vpn-cust;
rule snat-cust {
match {
source-address 172.23.168.0/21;
destination-address 172.16.4.0/25;
}
then {
source-nat {
pool {
vpn-cust-pool;
}
}
}
}
}

Global addressbook:
set security address-book global address NET-PROD 172.23.168.0/21
set security address-book global address NET-CUST 172.16.4.0/25

Application:
application FTP-ALGignore {
application-protocol ignore;
protocol tcp;
destination-port 21;

application PASSIVE_FTP_PORTS {
protocol tcp;
destination-port 1024-65535;

Security Policy:
from-zone application to-zone vpn-cust {
policy VPN-PROD-to-CUST {
match {
source-address NET-PROD;
destination-address NET-CUST;
application [FTP-ALGignore PASSIVE_FTP_PORTS ];
}
then {
permit;
}
}

Do you have the static route setup for 172.16.4.0/25 to st0.10

If that is in place can you generate traffic and see if the sessions are created

show security flow session destination-prefix 172.16.4.0/25 source-prefix 172.23.168.0/21

Hello Steve,

Node0: secondary (backup)

Node1: primary  (active)

We notice that when setting up the ftp session after few seconds, the session fails inside a default idle-time out of 1800.

 We see that sessions are created on both node0 and node1. The timeout on node1, the active node is initially on 20 seconds, on the inactive (backup) node0 it is on (1800 x 8). This is expected behavior, which can also be found in the documentation.

However, what we observe afterwards is that the return traffic is matched on the session on node0 and not node1. Because the session on node1 never processes an ack on the syn it falls into a timeout. This ensures that both sessions are then cleaned up. So after 20 seconds after the start of the connection, I see the sessions fall into an idle timeout.

So the issue is not about FTP ALG/PASSIVE, thats seems to work. Instead is about processing assymetric traffic between the two nodes. I dont know if this is a bug  in the chassis cluster between nodes?.

What i also did as a testscenario, is that i disabled one uplink on the backup node0, and the second uplink is active towards node1 and made sure that all traffic will be proccessed on th the active node1. And that seems to work well. But when i anabled the uplink towards node0 then problem seems to appear again, I do not know if it is due to asymmetric traffic over the nodes, because if traffic goes into secondary requesting to establish a session, it should be failed. This traffic is only ment for failover.

Also sometimes we see that the backup node0 timeout my sessions, while on active node the session timeout is on 1800.

#show route 172.16.4.0/25
inet.0: 28 destinations, 28 routes (28 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

172.16.4.0/25 *[Static/5] 1w1d 14:10:16
> via st0.10

#show security flow session destination-prefix 172.16.4.0/25 source-prefix 172.23.168.0/21

node0:
--------------------------------------------------------------------------

Session ID: 174627, Policy name: VPN-PROD-to-CUST/120, State: Active, Timeout: 1796, Valid
In: 172.23.173.2/38944 --> 172.16.4.6/21;tcp, Conn Tag: 0x0, If: reth1.20, Pkts: 0, Bytes: 0,
Out: 172.16.4.6/21 --> 172.39.31.39/17751;tcp, Conn Tag: 0x0, If: st0.10, Pkts: 7, Bytes: 544,
Total sessions: 1

node1:
--------------------------------------------------------------------------

Session ID: 298383, Policy name: VPN-PROD-to-CUST/120, State: Active, Timeout: 8, Valid
In: 172.23.173.2/38944 --> 172.16.4.6/21;tcp, Conn Tag: 0x0, If: reth1.20, Pkts: 10, Bytes: 570,
Out: 172.16.4.6/21 --> 172.39.31.39/17751;tcp, Conn Tag: 0x0, If: st0.10, Pkts: 0, Bytes: 0,
Total sessions: 1

{primary:node1}

I'm having trouble following the thread but I think you are saying the traffic flows through the SRX cluster are asymmetrical using both nodes.  If that is the case you need to change the cluster from active/passive to active/active for the flows to work.

Hello Suli,

It appears that your tunnel interface is active on Node-0 but LAN interface is active on Node-1. The return traffic should NOT be reaching node-0. I would suggest you to check how the outgoing interfaces are configured in the cluster.

Note that if SRX finds an outgoing interface on the other node, it would install a "Forwarding" session on Node-1 instead of "Active" as seen on your output.

Thanks!

Hello guys,

sorry for a late response, we were working with juniper support to find the problem and solution. it appears that the problem occurs when ECMP protocol is used between ISP and us in chassis-cluster active-active, while the outgoing interfaces are active on different nodes. Therefore, load balancing will not work. According to juniper advice/solution is to configure the uplinks in reth interfaces or upgrade the firmware of Junos OS release (15.1X49-D210, 18.4R3, 19.1R3, 19.2R2, 19.3R3, and 19.4R2). They have added new feature command to support ECMP in case outgoing interfaces are active on different nodes. So we are hoping to try this out by next-week.

firmware upgrade then:

set security flow no-local-favor-ecmp

https://kb.juniper.net/InfoCenter/index?page=content&id=KB35365